Many charities will be aware that the General Data Protection (GDPR) requires that data controllers respond to data subject access requests, and other requests to exercise data subject rights, for example, the right to erasure, 'without undue delay and at the latest within one month' (Recital 59). Until recently, the ICO's GDPR guidance had explained that the time limit should be calculated from the day after a request is received.
On 15 August 2019 however, the ICO announced that following a ruling by the Court of Justice of the European Union (Case C-17103 Maatschap Toeters and M.C. Verberk v Prodcutschap Vee en Vlees, actually dated 11 November 2004), which considered the application the interpretation of the rules related to periods, dates and time limits, the Guide would be amended so the time limit for response should be calculated from the day a request is received.
For example, this means that if a request is received on 3 September, it should be responded to by 3 October. It is also explained that where the date for response would be a weekend or public holiday the position will be that the data controller has until the next working day to respond.
There are circumstances in which the calculation may differ again. For example, where a controller has requested further information from the requester in order to either verify their identity or clarify their request, the period for response should be calculated from the day on which the verification or clarification information is received. Where a controller receives a request which is complex or receives a number of requests from a requester, and the controller extends the response time by two months, the latest date for response will then be three months from the date the request is received.
Charities which have a process in place for responding to data subject requests should check if it needs to be amended to take account of this change.